Firebase realtime-database rules [closed]

Here is my example database:

{
  "referrals" : {
    "Nr7sS4xV1fO59wjCqbEabLlK8RF3" : {
      "16-10-2020" : {
        "-MJhjQddWdWDImj98Sov" : {
          "city" : "hyhy",
          "name" : "mmmm",
          "number" : "03058852844",
          "remarks" : "pg"
        },
        "-MJhmeRiqeXskncHJF61" : {
          "city" : "vsva",
          "name" : "yhyh",
          "number" : "02089453882",
          "remarks" : "pg"
        }
      },
      "total_referrals" : 2
    },
    "jpeoZQAPdZY4yEt8yGifGZi4U4r1" : {
      "16-10-2020" : {
        "-MJlzrS8xX8MGN1ar9uw" : {
          "city" : "lahore",
          "name" : "khursand",
          "number" : "03014181394",
          "remarks" : "paid"
        },
        "-MJm-LFhEEMBzBPRftlC" : {
          "city" : "lahore",
          "name" : "khursand",
          "number" : "03014141111",
          "remarks" : "pg"
        }
      },
      "total_referrals" : 2
    }
  },
  "users" : {
    "Nr7sS4xV1fO59wjCqbEabLlK8RF3" : {
      "account_status" : "Level 1",
      "current_balance" : "0",
      "isBan" : false,
      "paid_referrals" : "0",
      "total_balance" : "0",
      "total_withdraw" : "0"
    },
    "jpeoZQAPdZY4yEt8yGifGZi4U4r1" : {
      "account_status" : "Level 1",
      "current_balance" : "0",
      "paid_referrals" : "0",
      "total_balance" : "0",
      "total_withdraw" : "0"
    }
  },
  "withdraw_details" : {
    "Nr7sS4xV1fO59wjCqbEabLlK8RF3" : {
      "-MJMgVd3TuWYjdGSd-FY" : {
        "amount" : "600",
        "date" : "11/10/2020",
        "method" : "Easypaisa",
        "number" : "03058853833",
        "tid" : "90124678573"
      }
    },
    "jpeoZQAPdZY4yEt8yGifGZi4U4r1" : {
      "-MJm7SfTwWafae85ayRq" : {
        "amount" : "600",
        "date" : "11/10/2020",
        "method" : "Easypaisa",
        "number" : "03494628929",
        "tid" : "90124678573"
      }
    }
  }
}

And here are my database rules that I've tried to set in console:

{
  "rules": {
    "users":{
      "$user_id":{
        ".read": "$user_id == auth.uid && auth != null", // only owner or authenticated user can read
        ".write": false // No-one can write
          
      }
    },
      
    "withdraw_details":{
      "$user_id":{
        ".read": "$user_id == auth.uid && auth != null",// only owner or authenticated user can read
        ".write": false // No-one can write
      }
    },
        
    "referrals": {
      "$user_id": {
        ".read": "$user_id == auth.uid && auth != null", // same as above
        ".write": "$user_id == auth.uid && auth != null", // owner and authenticated can write
          "$date": {
            // children should be only these
            ".validate": "newData.hasChildren(['name', 'number', 'city', 'remarks'])",
              // you can see further validation rules below
            "name": {".validate": "newData.isString() && newData.val().length <= 30"},
            "number": {".validate": "newData.isNumber() && newData.val().length == 11"},
            "city": {".validate": "newData.isString() && newData.val().length <= 20"},
            "remarks": {".validate": "newData.isString() && newData.val().length <= 15"},
            
              // any other child should be rejected
            "$other": {".validate": false}
            
          }
      }
    }  
  }

Now I don't know what I am doing wrong here because every time I try to read any child it throws a "Permission denied" error.

Moreover, on further clarification, I want the /users/uid/ && /withdraw_details/uid/ to be read only by it's owner and auth shouldn't be null. and write access to these locations should be denied.

The /referrals/uid/ location should have read and write access to its owner and with certain criteria and validations as you can see in the images above.

Thanks.



Read more here: https://stackoverflow.com/questions/64396302/firebase-realtime-database-rules

Content Attribution

This content was originally published by Moutamid Waseem at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: